First pass at making user authentication optional via configuration option. (#91)

* First pass at making user authentication optional via configuration option

* Cleanup, bump SpringBoot version

* codestyle violation fixes

* fix changelog wording

Author: Crim

CHANGELOG.md

@@ -5,7 +5,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## 2.0.0 (UNRELEASED)
 
 - Added new Stream consumer management page at /configuration/stream
-- Updated SpringBoot framework from 1.5.x to 2.0.4
+- Added ability to disable user authentication, allowing for anonymous users to access the web service.
+- Updated SpringBoot framework from 1.5.x to 2.0.5.
 
 ### Breaking Changes
 

README.md

@@ -49,12 +49,23 @@ By default config.yml will look similar to:
 server:
   port: 8080
 
-security:
-  require-ssl: false
-
 ## Various App Configs
 app:
+  ## Should be unique to your installation.
+  ## This key will be used for symmetric encryption of JKS/TrustStore secrets if you configure any SSL enabled Kafka clusters.
   key: "SuperSecretKey"
+
+  ## Defines a prefix prepended to the Id of all consumers.
+  consumerIdPrefix: "KafkaWebViewConsumer"
+
+  ## Require SSL
+  requireSsl: false
+
+  ## User authentication options
+  user:
+    ## Require user authentication
+    ## Setting to false will disable login requirement.
+    enabled: true
 ```
 
 ### Starting the service
@@ -78,6 +89,8 @@ Point your browser at `http://localhost:8080` follow the [Logging in for the fir
 
 ## Logging in for the first time
 
+**NOTE** If you've disabled user authentication in your configuration, no login will be required.
+
 On first start up a default Administrator user will be created for you.  Login using `[email protected]` with password `admin`
 
 **NOTE** After logging in you should create your own Administrator user and remove the default account.

kafka-webview-ui/src/assembly/distribution/config.yml

@@ -11,4 +11,10 @@ app:
   consumerIdPrefix: "KafkaWebViewConsumer"
 
   ## Require SSL
-  require-ssl: false
+  requireSsl: false
+
+  ## User authentication options
+  user:
+    ## Require user authentication
+    ## Setting to false will disable login requirement.
+    enabled: true

kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/configuration/AppProperties.java

@@ -48,9 +48,16 @@ public class AppProperties {
     @Value("${app.consumerIdPrefix}")
     private String consumerIdPrefix;
 
-    @Value("${app.require_ssl:false}")
+    @Value("${app.requireSsl:false}")
     private boolean requireSsl = false;
 
+    /**
+     * Flag read from configuratio file to determine if the app should
+     * enforce User authentication.
+     */
+    @Value("${app.user.enabled:true}")
+    private boolean userAuthEnabled = true;
+
     public String getName() {
         return name;
     }
@@ -75,6 +82,10 @@ public boolean isRequireSsl() {
         return requireSsl;
     }
 
+    public boolean isUserAuthEnabled() {
+        return userAuthEnabled;
+    }
+
     @Override
     public String toString() {
         return "AppProperties{"
@@ -84,6 +95,7 @@ public String toString() {
             + ", maxConcurrentWebSocketConsumers=" + maxConcurrentWebSocketConsumers
             + ", consumerIdPrefix='" + consumerIdPrefix + '\''
             + ", requireSsl='" + requireSsl + '\''
+            + ", userAuthEnabled='" + userAuthEnabled + '\''
             + '}';
     }
 }

kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/configuration/SecurityConfig.java

@@ -24,10 +24,11 @@
 
 package org.sourcelab.kafka.webview.ui.configuration;
 
+import org.sourcelab.kafka.webview.ui.manager.user.AnonymousUserDetailsService;
+import org.sourcelab.kafka.webview.ui.manager.user.CustomUserDetails;
 import org.sourcelab.kafka.webview.ui.manager.user.CustomUserDetailsService;
 import org.sourcelab.kafka.webview.ui.repository.UserRepository;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -39,6 +40,8 @@
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.context.request.RequestContextListener;
 
+import java.util.ArrayList;
+
 /**
  * Manages Security Configuration.
  */
@@ -49,12 +52,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
     @Autowired
     private UserRepository userRepository;
 
-    /**
-     * Allows for requiring all requests over SSL.
-     * If not defined in the config under the key security.require_ssl, we default to false.
-     */
-    @Value("${app.require_ssl:false}")
-    private boolean isRequireSsl;
+    @Autowired
+    private AppProperties appProperties;
 
     private final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
 
@@ -65,43 +64,21 @@ public PasswordEncoder getPasswordEncoder() {
 
     @Override
     protected void configure(final HttpSecurity http) throws Exception {
-        http
-            // CSRF Enabled
-            .csrf().and()
 
-            .authorizeRequests()
-                // Paths to static resources are available to anyone
-                .antMatchers("/register/**", "/login/**", "/vendors/**", "/css/**", "/js/**", "/img/**")
-                    .permitAll()
-                // Users can edit their own profile
-                .antMatchers("/configuration/user/edit/**", "/configuration/user/update")
-                    .fullyAuthenticated()
-                // But other Configuration paths require ADMIN role.
-                .antMatchers("/configuration/**")
-                    .hasRole("ADMIN")
-                // All other requests must be authenticated
-                .anyRequest()
-                    .fullyAuthenticated()
-                .and()
-
-            // Define how you login
-            .formLogin()
-                .loginPage("/login")
-                .usernameParameter("email")
-                .passwordParameter("password")
-                .failureUrl("/login?error=true")
-                .defaultSuccessUrl("/")
-                .permitAll()
-                .and()
+        // CSRF Enabled
+        http
+            .csrf();
 
-            // And how you logout
-            .logout()
-                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
-                .logoutSuccessUrl("/login")
-                .permitAll();
+        // If user auth is enabled
+        if (appProperties.isUserAuthEnabled()) {
+            // Set it up.
+            enableUserAuth(http);
+        } else {
+            disableUserAuth(http);
+        }
 
         // If require SSL is enabled
-        if (isRequireSsl) {
+        if (appProperties.isRequireSsl()) {
             // Ensure its enabled.
             http
                 .requiresChannel()
@@ -112,10 +89,73 @@ protected void configure(final HttpSecurity http) throws Exception {
 
     @Override
     public void configure(final AuthenticationManagerBuilder auth) throws Exception {
-        auth
-            // Define our custom user details service.
-            .userDetailsService(new CustomUserDetailsService(userRepository))
-            .passwordEncoder(getPasswordEncoder());
+        if (appProperties.isUserAuthEnabled()) {
+            auth
+                // Define our custom user details service.
+                .userDetailsService(new CustomUserDetailsService(userRepository))
+                .passwordEncoder(getPasswordEncoder());
+        } else {
+            auth
+                // Define our custom user details service.
+                .userDetailsService(new AnonymousUserDetailsService());
+        }
+    }
+
+    /**
+     * Sets up HttpSecurity for standard local user authentication.
+     */
+    private void enableUserAuth(final HttpSecurity http) throws Exception {
+        http
+            .authorizeRequests()
+            // Paths to static resources are available to anyone
+            .antMatchers("/register/**", "/login/**", "/vendors/**", "/css/**", "/js/**", "/img/**")
+            .permitAll()
+            // Users can edit their own profile
+            .antMatchers("/configuration/user/edit/**", "/configuration/user/update")
+            .fullyAuthenticated()
+            // But other Configuration paths require ADMIN role.
+            .antMatchers("/configuration/**")
+            .hasRole("ADMIN")
+            // All other requests must be authenticated
+            .anyRequest()
+            .fullyAuthenticated()
+            .and()
+
+            // Define how you login
+            .formLogin()
+            .loginPage("/login")
+            .usernameParameter("email")
+            .passwordParameter("password")
+            .failureUrl("/login?error=true")
+            .defaultSuccessUrl("/")
+            .permitAll()
+            .and()
+
+            // And how you logout
+            .logout()
+            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
+            .logoutSuccessUrl("/login")
+            .permitAll();
+    }
+
+    /**
+     * Sets up HttpSecurity for standard local user authentication.
+     */
+    private void disableUserAuth(final HttpSecurity http) throws Exception {
+        // Define the "User" that anonymous web clients will assume.
+        final CustomUserDetails customUserDetails = AnonymousUserDetailsService.getDefaultAnonymousUser();
+
+        http
+            // All requests should require authorization as anonymous
+            .authorizeRequests()
+            .anyRequest()
+            .anonymous()
+            .and()
+            // And the user provider should always return our anonymous user instance
+            // with admin credentials.
+            .anonymous()
+            .principal(customUserDetails)
+            .authorities(new ArrayList<>(customUserDetails.getAuthorities()));
     }
 
     @Bean

kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/controller/BaseController.java

@@ -24,6 +24,7 @@
 
 package org.sourcelab.kafka.webview.ui.controller;
 
+import org.sourcelab.kafka.webview.ui.configuration.AppProperties;
 import org.sourcelab.kafka.webview.ui.manager.user.CustomUserDetails;
 import org.sourcelab.kafka.webview.ui.model.Cluster;
 import org.sourcelab.kafka.webview.ui.model.View;
@@ -51,14 +52,21 @@ public abstract class BaseController {
     @Autowired
     private ViewRepository viewRepository;
 
+    @Autowired
+    private AppProperties appProperties;
+
     /**
      * Determine if the current user is logged in or not.
      * @return True if so, false if not.
      */
     protected boolean isLoggedIn() {
         // For now bypass auth
-        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-        if (auth == null || auth instanceof AnonymousAuthenticationToken) {
+        final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        if (auth == null) {
+            return false;
+        }
+
+        if (auth instanceof AnonymousAuthenticationToken && appProperties.isUserAuthEnabled()) {
             return false;
         }
         return true;

kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/manager/user/AnonymousUserDetailsService.java

@@ -0,0 +1,62 @@
+/**
+ * MIT License
+ *
+ * Copyright (c) 2017, 2018 SourceLab.org (https://github.com/Crim/kafka-webview/)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.sourcelab.kafka.webview.ui.manager.user;
+
+import org.sourcelab.kafka.webview.ui.model.User;
+import org.sourcelab.kafka.webview.ui.model.UserRole;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+/**
+ * Simple implementation that should only be used when real user authentication has been disabled.
+ */
+public class AnonymousUserDetailsService implements UserDetailsService {
+    private static CustomUserDetails defaultUserDetails;
+
+    {
+        // Setup a mock user.
+        final User anonymousUser = new User();
+        anonymousUser.setId(0);
+        anonymousUser.setDisplayName("Anonymous User");
+        anonymousUser.setEmail("Anonymous User");
+        anonymousUser.setRole(UserRole.ROLE_ADMIN);
+        anonymousUser.setActive(true);
+
+        defaultUserDetails = new CustomUserDetails(anonymousUser);
+    }
+
+    @Override
+    public UserDetails loadUserByUsername(final String username) throws UsernameNotFoundException {
+        return getDefaultAnonymousUser();
+    }
+
+    /**
+     * @return Default user when not using real user authentication.
+     */
+    public static CustomUserDetails getDefaultAnonymousUser() {
+        return defaultUserDetails;
+    }
+}

kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/manager/user/CustomUserDetailsService.java

@@ -27,14 +27,15 @@
 import org.sourcelab.kafka.webview.ui.model.User;
 import org.sourcelab.kafka.webview.ui.repository.UserRepository;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
 /**
  * Custom User Details Service.  Create Custom User Details implementation.
  */
 @Service
-public class CustomUserDetailsService implements org.springframework.security.core.userdetails.UserDetailsService {
+public class CustomUserDetailsService implements UserDetailsService {
     private final UserRepository userRepository;
 
     public CustomUserDetailsService(final UserRepository userRepository) {

kafka-webview-ui/src/main/resources/config/base.yml

@@ -43,4 +43,6 @@ app:
   key: "SuperSecretKey"
   maxConcurrentWebSocketConsumers: 64
   consumerIdPrefix: "KafkaWebViewConsumer"
-  require-ssl: true
+  requireSsl: true
+  user:
+    enabled: true

kafka-webview-ui/src/main/resources/config/dev.yml

@@ -15,4 +15,6 @@ spring:
     show-sql: true
 
 app:
-  require-ssl: false
+  requireSsl: false
+  user:
+    enabled: true